OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: eNowak IGF remote (nowakrz.uni-frankfurt.de)
Date: Wed Dec 19 2001 - 17:45:00 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The given example
     
    http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf

    results in

          "Cannot read from insecure path."

    according to viewcode.jse code fragment:

          // only read file which is under the secure sewse path -- hence filtering ".."
          if ((argv[i]).indexOf("..") != -1)
          { return "Cannot read from insecure path."; }

    System: NW5.1sp3
    sys:/novonyx/suitespot/docs/sewse/viewcode.jse of 03/12/01.

    Workarounds:
    ~~~~~~~~~~~~
    Apply service pack, latest version out since 5 months!

    Greetings
    E.N. 

    --
---------------------------------------------------------
Eberhard Nowak, JWG-Universitaet, Hochschulrechenzentrum
Grueneburgplatz 1, 60629 Frankfurt, Germany
Phone : +49 69 798-33198          Fax: +49 69 798-28313
E-mail: nowakrz.uni-frankfurt.de

    >>> IRM Security Advisories<advisoriesirmplc.com> 19.12.2001  12:44 >>>
>demonstrate the flexibility and features of the product. However, one
>sample page uses a Netware Loadable Module (NLM) called sewse.nlm to
>call a script called viewcode.jse. The viewcode.jse file is designed to
>be used to display the source code of sample files called httplist.htm
>and httplist.jse. These file names are passed as parameters to the NLM
>through a URL such as (URL may wrap):
>
>http://10.0.25.5/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist/httplist.htm+httplist/httplist.jse 
>
>The application checks the files being requested by requiring that the
>httplist directory is specified in the path to the files to be viewed.
>However, it is possible to traverse directories using /../ after
>httplist. The sewse.nlm module runs with sufficient permissions whereby
>it possible to traverse to any file on the file system and view the contents.
>There are many files that may be of interest to an attacker and these
>include:[...]
>
>Workarounds:
>~~~~~~~~~~~~
>A workaround involves removing all sample web pages and sample NLMs.[...]